Protect yourself against future threats.
=========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2024.2280.4 CVE-2024-3400 PAN-OS: OS Command Injection Vulnerability in GlobalProtect Gateway 22 April 2024 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: GlobalProtect Gateway PAN-OS Publisher: Palo Alto Networks Operating System: Network Appliance Resolution: Patch/Upgrade CVE Names: CVE-2024-3400 Original Bulletin: https://securityadvisories.paloaltonetworks.com/CVE-2024-3400 Comment: CVSS (Max): 10.0 CVE-2024-3400 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:Y/R:U/V:C/RE:M/U:Red) CVSS Source: Palo Alto Networks Calculator: https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:Y/R:U/V:C/RE:M/U:Red Palo Alto Networks is aware of an increasing number of attacks exploiting this vulnerability and publicly disclosed proof of concepts for this vulnerability. Revision History: April 22 2024: Vendor added new Threat Prevention ID and clarified information to the advisory April 17 2024: Palo Alto has advised that disabling device telemetry is no longer an effective mitigation April 15 2024: Palo Alto updated bulletin to include latest remediation advice and update details April 12 2024: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Palo Alto Networks Security Advisories / CVE-2024-3400 CVE-2024-3400 PAN-OS: Arbitrary File Creation Leads to OS Command Injection Vulnerability in GlobalProtect Severity 10 . CRITICAL Urgency HIGHEST Response Effort MODERATE Recovery USER Value Density CONCENTRATED Attack Vector NETWORK Attack Complexity LOW Attack Requirements NONE Automatable YES User Interaction NONE Product Confidentiality HIGH Product Integrity HIGH Product Availability HIGH Privileges Required NONE Subsequent Confidentiality HIGH Subsequent Integrity HIGH Subsequent Availability HIGH NVD JSON Published 2024-04-12 Updated 2024-04-19 Reference PAN-252214 Discovered in production use Description A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability. Customers should continue to monitor this security advisory for the latest updates and product guidance. Product Status Versions Affected Unaffected Cloud None All NGFW PAN-OS < 11.1.0-h3, < 11.1.1-h1, < >= 11.1.0-h3, >= 11.1.1-h1, >= 11.1 11.1.2-h3 11.1.2-h3 PAN-OS < 11.0.0-h3, < 11.0.1-h4, < >= 11.0.0-h3, >= 11.0.1-h4, >= 11.0 11.0.2-h4, < 11.0.3-h10, < 11.0.2-h4, >= 11.0.3-h10, >= 11.0.4-h1 11.0.4-h1 < 10.2.0-h3, < 10.2.1-h2, < >= 10.2.0-h3, >= 10.2.1-h2, >= PAN-OS 10.2.2-h5, < 10.2.3-h13, < 10.2.2-h5, >= 10.2.3-h13, >= 10.2 10.2.4-h16, < 10.2.5-h6, < 10.2.4-h16, >= 10.2.5-h6, >= 10.2.6-h3, < 10.2.7-h8, < 10.2.6-h3, >= 10.2.7-h8, >= 10.2.8-h3, < 10.2.9-h1 10.2.8-h3, >= 10.2.9-h1 PAN-OS None All 10.1 PAN-OS None All 10.0 PAN-OS None All 9.1 PAN-OS None All 9.0 Prisma None All Access Required Configuration for Exposure This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal (or both). Device telemetry does not need to be enabled for PAN-OS firewalls to be exposed to attacks related to this vulnerability. You can verify whether you have a GlobalProtect gateway or GlobalProtect portal configured by checking for entries in your firewall web interface (Network > GlobalProtect > Gateways or Network > GlobalProtect > Portals). Severity: CRITICAL CVSSv4.0 Base Score: 10 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/ SI:H/SA:H/AU:Y/R:U/V:C/RE:M/U:Red) Exploitation Status Palo Alto Networks is aware of an increasing number of attacks that leverage the exploitation of this vulnerability. Proof of concepts for this vulnerability have been publicly disclosed by third parties. More information about the vulnerability's exploitation in the wild can be found in the Unit 42 threat brief: https://unit42.paloaltonetworks.com/ cve-2024-3400/. Weakness Type CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection') Solution We strongly advise customers to immediately upgrade to a fixed version of PAN-OS to protect their devices even when workarounds and mitigations have been applied. This issue is fixed in PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3, and in all later PAN-OS versions. Customers who upgrade to these versions will be fully protected. In addition, to provide the most seamless upgrade path for customers, additional hotfixes have been made available as a courtesy for other commonly deployed maintenance releases. PAN-OS 10.2: - 10.2.9-h1 (Released 4/14/24) - 10.2.8-h3 (Released 4/15/24) - 10.2.7-h8 (Released 4/15/24) - 10.2.6-h3 (Released 4/16/24) - 10.2.5-h6 (Released 4/16/24) - 10.2.4-h16 (Released 4/18/24) - 10.2.3-h13 (Released 4/18/24) - 10.2.2-h5 (Released 4/18/24) - 10.2.1-h2 (Released 4/18/24) - 10.2.0-h3 (Released 4/18/24) PAN-OS 11.0: - 11.0.4-h1 (Released 4/14/24) - 11.0.4-h2 (Released 4/17/24) - 11.0.3-h10 (Released 4/16/24) - 11.0.2-h4 (Released 4/16/24) - 11.0.1-h4 (Released 4/18/24) - 11.0.0-h3 (Released 4/18/24) PAN-OS 11.1: - 11.1.2-h3 (Released 4/14/24) - 11.1.1-h1 (Released 4/16/24) - 11.1.0-h3 (Released 4/16/24) Workarounds and Mitigations Recommended Mitigation: Customers with a Threat Prevention subscription can block attacks for this vulnerability using Threat IDs 95187, 95189, and 95191 (available in Applications and Threats content version 8836-8695 and later). Please monitor this advisory and new Threat Prevention content updates for additional Threat Prevention IDs around CVE-2024-3400. To apply the Threat IDs, customers must ensure that vulnerability protection has been applied to their GlobalProtect interface to prevent exploitation of this issue on their device. Please see https:// live.paloaltonetworks.com/t5/ globalprotect-articles/applying- vulnerability-protection-to-globalprotect-interfaces/ta-p/340184 for more information. In earlier versions of this advisory, disabling device telemetry was listed as a secondary mitigation action. Disabling device telemetry is no longer an effective mitigation. Device telemetry does not need to be enabled for PAN-OS firewalls to be exposed to attacks related to this vulnerability. Acknowledgments Palo Alto Networks thanks Volexity for detecting and identifying this issue and thanks the Capability Development Group at Bishop Fox for helping us improve threat prevention signatures Frequently Asked Questions Q.Has this issue been exploited in the wild? Palo Alto Networks is aware of an increasing number of attacks that leverage the exploitation of this vulnerability. Proof of concepts for this vulnerability have been publicly disclosed by third parties. Q.Are there any checks I can run on my device to look for evidence of attempted exploit activity? The following command can be used from the PAN-OS CLI to help identify if there was an attempted exploit activity on the device: grep pattern "failed to unmarshal session(.\+.\/" mp-log gpsvc.log* If the value between "session(" and ")" does not look like a GUID, but instead contains a file system path or embedded shell commands, this could be related to an attempted exploitation of CVE-2024-3400, which will warrant further investigation to correlate with other indicators of compromise. Grep output indicating an attempted exploit may look like the following entry: failed to unmarshal session(../../some/path) Grep output indicating normal behavior will typically appear like the following entry: failed to unmarshal session(01234567-89ab-cdef-1234-567890abcdef) Q.Has my device been compromised by this vulnerability? Customers are able to open a case in the Customer Support Portal (CSP) and upload a technical support file (TSF) to determine if their device logs match known attempted exploits for this vulnerability. Q.Where can I find additional indicators of compromise for this issue? Please refer to the Unit42 Threat Brief (https:// unit42.paloaltonetworks.com/cve-2024-3400/) and the Volexity blog post ( https:// www.volexity.com/blog/2024/04/12/zero-day-exploitation-of- unauthenticated-remote-code-execution-vulnerability-in-globalprotect- cve-2024-3400/) for the latest information. Q.Are VMs deployed and managed by customers in the cloud impacted? While the Cloud NGFW managed services on AWS and Azure are not impacted, VM-Series managed by customers and with specific PAN-OS versions and Global Protect configurations are impacted. Timeline 2024-04-19 Clarified vulnerability title and description 2024-04-18 Clarified FAQ regarding evidence of attempted exploit activity 2024-04-17 Added new Threat Prevention Threat ID to Workarounds and Mitigations 2024-04-17 Added a CLI command to search for possible attempts of exploit activity 2024-04-17 Updated product and mitigation guidance, exploit status, and PAN-OS fix availability 2024-04-15 All necessary PAN-OS fixes are now available, clarified Workarounds and Mitigations when using Panorama templates 2024-04-14 Clarified impact on GlobalProtect portal configurations 2024-04-13 Added link to Unit42 threat brief and clarified impact to customer-managed VMs in the cloud 2024-04-12 Initial publication Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure PolicyReport vulnerabilitiesManage subscriptions (C) 2024 Palo Alto Networks, Inc. All rights reserved. - --------------------------END INCLUDED TEXT---------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. ===========================================================================